Security Patching Is Not Part Of ICS Cyber Hygiene
The term Cyber Hygiene has burst into conferences, papers, webinars and of course marketing literature in the ICS security community. Can we kill it off, or at least correct it, before it takes hold? The latest example is from an otherwise very good article by Andy Bochman of INL in Harvard Business Review. He includes maintaining a detailed inventory, deploying security products like firewalls and IDS, creating air gaps, security awareness programs, and creating a security team as examples of cyber hygiene. The word “hygiene” is used as nothing more than a replacement for “security”.
Hygiene was obviously selected by Andy and many others because it is easy to understand from its common usage, and who can possibly be against hygiene. Wash your hands before eating. Brush your teeth. Take a bath or shower. Don’t put your fingers in your mouth.
The easiest way to see the misuse and flaws in this term is that periodic wellness exams and vaccinations are not hygiene. Not everything a person does, and little a person has done for them, to maintain health is considered hygiene.
If we must keep the term cyber hygiene, then cyber hygiene should only include:
- practices that apply to all participants in the ICS
- practices that do not require any risk analysis to determine if they should or should not be followed
- practices that are so simple they can be stated and fully understood in a single sentence
- practices that are almost universally considered to be helpful and important
Potential examples of cyber hygiene in ICS include:
- Don’t connect your mobile phone to the ICS
- Don’t post information about the ICS on the Internet
- Don’t connect external USB or other removable media to the ICS
From these examples you can see how cyber hygiene could be part of a broad based security awareness program. If it is not something you want to inform and train all involved in the ICS, then it is not cyber hygiene.
Security patching is not cyber hygiene. Operators and most other users should not be applying or even thinking about security patching. There is a risk analysis that is performed before applying patches, and the process of applying patches with testing, phased deployment, and rollback capability is not a simple sentence. Deploying security software and hardware is not cyber hygiene, nor is detection, incident response, backup and most other security controls and practices.
If we insist on coming up with a different term for cyber security in ICS, I’m a strong proponent of cyber maintenance. It fits in the Operations environment. They have a maintenance plan for equipment and systems in the rest of the Plant, why would they not have a maintenance plan for the ICS? Maintenance strategies and plans vary and require judgment as a risk informed cyber maintenance program should.
Of course ICS have all too often had an unspoken cyber maintenance strategy of run to fail. Preventative and predictive maintenance is more common and applicable on components that would have a large impact if an unplanned outage or integrity failure occurred. Operations groups squirm a bit when questioned about the maintenance strategy for their ICS. The term works and is more applicable to the security tasks that the OT security team should be doing.
Or we could just stick with the term cyber security.
Listen to the podcast I recorded with Michael Toecker and Marty Edwards for a deeper discussion on the issue of cyber hygiene and cyber maintenance in ICS.